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1.7.  (U)  Iraq 

1.8.  (S//NF)  Alleged  plans  by  various  insurgent  groups  to 
conduct  attacks  during  anticipated  U.S.  military  withdrawal 
from  urban  areas:  According  to  recent  multiple  source 
reports,  various  insurgent  groups  and  militias  intend  on 
attacking  multiple  venues  throughout  Iraq  in  anticipation  of 
U.S.  military  forces  withdrawal  from  urban  areas.  Specific 
targets  mentioned  included  the  International  Zone  (IZ), 
Victory  Base  Complex,  joint  security  stations,  and  various 
forward  operating  bases  in  Baghdad  and  in  Maysan  Province 
(southern  Iraq).  Allegedly,  insurgent  groups  also  are 
prepared  to  target  key  infrastructure,  such  as  bridges  and 
major  supply  routes  used  by  Coalition  forces  (CF)  and  Iraqi 
Security  Forces  (ISF)  convoys.  According  to  one  source,  an 
unidentified  group  had  access  to  a large  tank  of  chlorine,  16 
V-8  rockets,  and  three  torpedoes  which  were  supposedly 
recovered  by  the  CF  and  ISF.  The  reports  mentioned  the 
attacks  would  commence  on  or  about  July  1.  The  Government  of 
Iraq  is  anticipating  the  offensive  and  has  placed  ISF  units 
on  alert  and  cancelled  all  leave  effective  June  28. 


19.  (S//NF)  DS/TIA/ITA  would  like  to  note  the  series  of 

reports  are  consistent  with  other  recent  threat  reporting 
indicating  the  possibility  of  insurgent  groups  and  militias 
preparing  to  increase  attacks  in  anticipation  of  troop 
withdrawal  from  urban  areas.  It  is  possible  that 
extremist-affiliated  groups  would  seek  to  target  the  IZ  and 
the  Victory  Base  Complex,  as  the  venues  are  symbolic  of  the 
U.S.  diplomatic  and  military  presence  in  Iraq.  It  is  also 
plausible  the  groups  may  surmise  that  a large  attack  against 
CF  troops  in  these  areas  would  be  ideal,  as  it  would  serve  as 
propaganda  for  them,  allowing  them  to  take  credit  for  driving 


out  "occupying  forces." 

11.10.  (S//NF)  DS/TIA/ITA  would  also  highlight  the  allegation  of 
the  existence  of  the  weapons  cache,  as  the  materials  could 
possibly  be  used  as  components  for  improvised  rocket-assisted 
munitions  or  an  improvised  explosive  device  (IED).  According 
to  the  Multi-National  Forces  in  Iraq  Combined  Intelligence 
Operations  Cell,  the  first  documented  chlorine  attack 
occurred  in  al-Anbar  Province  (western  Iraq)  on  October  21, 
2006,  and  the  first  documented  chlorine  vehicle-borne  IED 
(VBIED)  in  the  Baghdad  area  occurred  in  Taji  on  February  20, 
11.2007.  Despite  the  claims  by  insurgent  groups  and  militias  of 
chlorine-related  attacks,  their  incident  rates  remain  low  and 
inconsistent.  While  DS/TIA/ITA  cannot  corroborate  the 
veracity  of  the  recent  threat  reporting,  overall,  there  is 
nothing  to  suggest  that  the  intention  to  attack  the  U.S. 
presence  in  Iraq  will  subside  once  a military  troop 
withdrawal  is  completed.  (Appendix  sources  1-7) 

11.11.  (SBU)  Indirect  fire  (IDF)  of  unknown  size  was  launched 
against  the  IZ  in  Baghdad  at  9:22  p.m.  on  June  24.  The  IDF 
impacted  in  the  river  approximately  250  meters  south  of  the 
U.S.  Embassy  compound.  No  injuries  or  damages  were  reported. 
(RSO  TOC  Baghdad  Spot  Report) 

11.12.  (U)  Significant  Events 

11.13.  (C)  WHA  Honduras  - Honduran  military  forces  arrested 
President  Manuel  Zelaya  June  28  according  to  orders  issued  by 
the  National  Congress  and  the  Supreme  Court  of  Honduras. 

Zelaya  was  taken  to  a local  air  force  base  and  flown  to  Costa 
Rica.  Emergency  Action  Committee  (EAC)  Tegucigalpa 
subsequently  met  to  discuss  the  ramifications  of  the  seizure 
of  the  president  by  host-cost  country  military  forces.  The 
RSO  noted  the  general  climate  in  the  capital  was  calm; 
however,  a standfast  order  was  issued,  and  additional 
security  measures  were  implemented.  The  Embassy  released  a 
Warden  Message  regarding  the  actions  against  Zelaya  and  urged 
AmCits  to  remain  in  the  residences  or  hotels  for  the  day. 

11.14.  (C)  Later  in  the  day,  Congress  officially  named  Roberto 
Micheletti  interim  president.  The  U.S.  Ambassador  gave  a 
press  conference  outside  the  Embassy;  he  insisted  that 
President  Zelaya  was  the  only  democratically  elected 
president  of  the  country  and  urged  that  freedom  of  expression 
and  circulation  be  restored.  He  also  demanded  the  release  of 
those  government  officials  said  to  be  in  military  custody. 

The  EAC  reconvened  to  assess  the  situation.  Protest  activity 
has  centered  around  the  presidential  palace,  some  roads  in 
the  capital  were  blocked,  and  there  were  some  troops  on  the 
street.  However,  traffic  flow  was  reported  normal  in  most  of 
the  city.  Authorized  Departure  for  family  members  was 
discussed,  but  not  warranted  at  this  time.  Embassy  personnel 
were  advised  to  remain  in  their  homes  for  the  rest  of  the  day 
and  to  limit  their  movements  today,  June  29.  All  Peace  Corps 
volunteers  have  been  accounted  for  and  are  on  standfast.  Post 
will  be  open  today  for  emergency  services  only.  The  EAC  will 
continue  monitoring  events  in-country  and  provide  updated 
information  as  available.  (Tegucigalpa  Spot  Report;  telcon; 
Warden  Message;  Appendix  sources  8-10) 

11.15.  (SBU)  EUR  Germany  - A Local  Guard  Force  (LGF)  member  of 
U.S.  Consulate  General  Frankfurt  discovered  two  suspicious 
cases  with  protruding  wires  June  26  while  on  foot  patrol  in 
the  clustered  housing  area.  The  guard  notified  his 
supervisor,  and  the  area  and  two  nearby  apartment  buildings 
were  evacuated.  Responding  police  requested  canine  and 
Explosive  Ordnance  Disposal  (EOD)  support.  After  the  EOD  team 
arrived,  a local  telecom  technician,  who  had  been  working 
nearby,  arrived  at  the  scene  and  claimed  the  unattended 
cases;  the  technician  had  inadvertently  left  the  cases.  After 
further  investigation  and  corroboration  with  the  technician, 
police  declare  the  area  safe.  (RSO  Frankfurt  Spot  Report) 

11.16.  (SBU)  AF  Liberia  - Two  acts  of  vandalism  were  reported  to 
U.S.  Embassy  Monrovia  on  the  night  of  June  27.  One  took  place 
at  the  residence  of  the  chief  of  the  DoD  Office  of  Security 
Cooperation,  approximately  2.5  miles  from  Post,  where 


graffiti  was  spray  painted  on  the  perimeter  wall  stating, 

"COL  THE  WAR  HAS  JUST  BEGAN."  The  second  incident  occurred  at 
the  facility  of  a USAID-funded  project,  approximately  1.5 
miles  from  the  Embassy,  where  the  messages  "INTERCON  MUST 
LEAVE  NOW,  TAKE  INT"  and  "DANGER"  were  spray  painted  on  the 
compound  wall.  The  RSO  assesses  these  incidents  are 
consistent  with  the  pattern  of  threats  and  intimidation  used 
by  dismissed  Embassy  guards  to  obtain  a favorable  settlement 
with  their  former  employer  through  the  Liberian  Ministry  of 
Labor.  (RSO  Monrovia  Spot  Report) 

11_17.  (SBU)  Mauritania  - U.S.  Embassy  Nouakchott  received  a 
credible  threat  June  27  regarding  a kidnapping  against  an 
American  in  the  capital  sometime  during  the  night  (NFI).  The 
RSO  considers  the  information  credible  and  made  notifications 
to  staff  to  assure  that  all  official  Americans  were  accounted 
for.  All  residential  LGF  posts  were  manned,  and  radio  checks 
were  increased.  Post  also  issued  a Warden  Message  advising 
AmCits  in-country  of  the  threat.  Please  see  the  Key  Concerns 
section  for  further  information.  (RSO  Nouakchott  Spot  Report) 

11_18.  (C//NF)  Mauritania  - EAC  Nouakchott  met  June  26  to 

discuss  developments  surrounding  the  murder  of  an  unofficial 
American  on  June  23.  Members  were  updated  on  the 
investigative  progress  of  local  authorities.  The  EAC  reviewed 
the  U.S.  Embassy's  tripwires  for  consideration  of  Authorized 
Departure  and/or  drawdown  and  determined  there  was 
insufficient  information  at  this  time  to  recommend  either 
action.  EAC  members  were  reminded  of  the  importance  of  random 
arrival  arrivals  at  Post  (effective  June  25)  along  with  other 
augmented  security  measures. 

11.19.  (S//NF)  The  EAC  reconvened  June  28,  and  members  were 
introduced  to  FBI  assets  assigned  to  investigate  the  AmCit ' s 
murder  with  host-country  law  enforcement  personnel.  Members 
welcomed  the  team  and  support  their  efforts  on  the 
investigation  while  in-country.  Members  also  discussed  the 
credible  kidnapping  threat  against  an  AmCit  in-country  and 
reviewed  the  enhanced  security  measures  already  in  place. 

Post  issued  a Consular  short  message  system  alert  to  the 
American  community  advising  of  the  threat.  The  EAC  will 
continue  to  review  all  threat  information  as  it  becomes 
available,  while  supporting  the  ongoing  murder  investigation, 
and  the  EAC  will  reconvene  as  needed.  (Appendix  sources  11-12) 

11_2  0.  (SBU)  Sudan  Update  - On  June  24,  verdicts  were  issued  in 
the  trial  of  the  five  Sudanese  men  charged  with  the  January 

I,  2008,  murder  of  U.S.  Embassy  Khartoum  employees  John 
Granville  and  Abdelrahman  Abbas.  Four  of  the  defendants  were 
found  of  guilty  of  intentional  killing  and  sentenced  to  death 
by  hanging.  The  fifth  defendant  was  found  guilty  on  weapons 
charges  and  sentenced  to  two  years  in  prison,  including 
credit  for  time  served  since  his  January  2008  arrest. 

(Khartoum  0790) 

1121.  (SBU)  The  Gambia  - EAC  Banjul  met  June  23  for  its  monthly 
meeting.  It  was  determined  that  the  recent  activity  in 
Tehran,  Iran,  should  not  present  any  additional  danger  for 
U.S.  personnel  or  citizens  in-country;  however,  the  EAC 
agreed  U.S.  Embassy  staff  must  be  more  diligent  in  practicing 
common-sense  security  measures.  EAC  members  deemed  Post's 
current  security  posture  is  sufficient.  (Banjul  0190) 

II. 22.  (S//NF)  NEA  Yemen  - EAC  Sana'a  met  June  28  to  discuss  a 
write-in  threat  concerning  a VBIED  attack  against  the  U.S. 
Embassy  planned  for  today,  June  29.  The  threat  was  traced  to 
Algeria,  and,  although  such  threats  are  considered  relatively 
common,  Post  officials  are  taking  the  threat  seriously. 

Members  agreed  that  Post's  current  security  upgrades  were 
sufficient  to  deter  and,  if  need  be,  withstand  an  attack; 
however,  members  deemed  it  would  be  prudent  to  request 
additional  security  from  the  Republic  of  Yemen  Government  at 
Post's  perimeter,  in  light  of  the  approaching  July  4 holiday. 
Please  see  the  Key  Concerns  section  for  further  details. 
(Appendix  source  13) 

11.2  3.  (C)  SCA  Bangladesh  - U.S.  Embassy  Dhaka  officials  met 
with  the  secretary  of  Home  Affairs  to  discuss  concerns  over 


an  uptick  in  crimes  directed  against  foreigners  in  Dhaka's 
Diplomatic  Enclave.  The  secretary  stated  the  Government  of 
Bangladesh  (GoB)  had  increased  the  police  presence  in  the 
enclave  May  7,  when  threat  letters  were  sent  to  several 
diplomatic  missions.  Post  officials  will  continue  to  monitor 
the  situation  and  keep  pressure  on  the  GoB  to  provide 
adequate  security  to  the  U.S.  Mission.  (Appendix  source  14) 

T_24.  (U)  Key  Concerns 

112  5.  (S//NF)  AF  Mauritania  - AQIM  threat  to  kidnap  American 
citizen:  According  to  the  Spanish  National  Intelligence 
Service  (CNI),  an  unidentified  source  for  the  CNI  service 
center  stated  al-Qa'ida  in  the  Lands  of  the  Islamic  Maghreb 
(AQIM)  planned  to  kidnap  an  unidentified  AmCit  in  Nouakchott 
during  the  evening  of  June  27.  According  to  the  report's 
context  statement,  a CNI  official  provided  the  information 
during  the  course  of  a routine  liaison  meeting.  There  are  no 
additional  details  on  this  information,  and  the  report's 
originators  are  unable  to  assess  the  reliability  of  the 
ultimate  source(s)  of  the  information.  In  addition,  it  is  not 
known  what,  if  any,  vetting  or  validation  procedures  the 
Spanish  service  may  use  to  evaluate  its  sources.  In  separate 
reporting,  AQIM,  as  of  late  June,  had  sent  three  unidentified 
members  to  Mauritania  from  northern  Mali  to  conduct 
operations  against  government  interests  in  Nouakchott  and 
Nouadhibou,  according  to  the  Mauritanian  External 
Intelligence  Service.  It  was  unknown,  according  to  the 
Mauritanian  service,  whether  AQIM  intended  to  attack 
Mauritanian  and/or  foreign  government  facilities  in  those 
cities.  Separately,  AQIM  Tariq  Ibn  Ziyad  battalion  leader 
'Abd  al-Hamid  (Abu  Zaid),  as  of  late  June,  had  delayed  an 
order  for  four  men  to  travel  to  Nouakchott  to  conduct 
unspecified  operations,  according  to  the  Mauritanian  service. 
DS/TIA/ITA  notes  the  latest  threat  information  follows  last 
week's  killing  of  an  American  in  Nouakchott  and  the  possible 
involvement  of  AQIM.  (Appendix  sources  15-16) 

1I_26.  (S//NF)  Nigeria  - Extremists  believed  to  be  planning  a 

massive  terrorist  attack:  (S//REL  TO  USA,  FVEY)  Tearline 

states,  "Unspecified  extremist  groups,  suspected  to  be 
operating  in  concert  with  Nigerian  Shi'ites,  Salafiya,  or 
Muhammad  Yusuf ' s Nigerian  Taliban  are  reportedly  planning  to 
launch  a massive  surprise  attack  on  some  piece  of  critical 
infrastructure  or  against  high-profile  targets  within 
Nigeria.  Probable  targets  of  this  attack  include  top  Nigerian 
Government  officials  or  security  agents.  Members  of  the 
general  public,  who  might  be  opposed  to  the  attackers' 
doctrines,  were  also  believed  to  be  possible  targets.  This 
planned  attack  is  reportedly  aimed  at  sparking  sectarian 
clashes  across  Nigeria." 

121.  (S//NF)  DS/TIA/ITA  cannot  immediately  corroborate  the 
current  threat  with  additional  intelligence.  While  no 
connection  can  be  made  between  this  threat  and  previous 
reports,  DS/TIA/ITA  is  concerned  about  recent  activity 
surrounding  extremists  associated  with  the  Nigerian  Taliban. 

11_28.  (S//NF)  A well-trained  veteran  Chadian  extremist, 
Abu-Mahjin  (Terrorist  Identities  Datamart  Environment  (TIDE) 
number  24350378),  who  has  limited  ties  to  al-Qa'ida 
associates,  recently  traveled  to  Nigeria.  He  may  be  planning 
to  conduct  or  facilitate  a terrorist  operation.  Indeed, 
tearline  from  May  1 claimed,  "An  Islamic  extremist  named 
Abu-Muhjin  has  recently  been  in  northeast  Nigeria.  It  is 
likely  that  he  will  be  joined  by  other  Islamic  extremists  in 
the  coming  weeks."  More  recent  tearline  stated, 
"Nigerian-based  probable  Chadian  extremist  Abu-Mahjin  is  keen 
to  obtain  more  funds  in  connection  with  some  sort  of 
nefarious  activity  (possibly  terrorism  related)  he  is  engaged 
in.  However,  it  is  not  clear  when  he  will  receive  this 
additional  finance."  Little  more  is  known  about  Abu-Mah jin's 
apparent  efforts  to  organize  a near-term  operation. 

11_29.  (S//NF)  Though  neither  the  Nigerian  Taliban  nor  its  more 

militant  subset  — Tanzim  al-Qa'ida  group  — has  ever 
attacked  Western  interests,  they  have  discussed  targeting 
foreign  embassies  in  the  past.  In  2007,  they  reportedly 


plotted  to  attack  the  U.S.,  British,  and  Israeli  embassies  in 
Abuja,  according  to  a single  source  that  remains 
unsubstantiated.  (Appendix  sources  17-19) 

11_30.  (C//NF)  NEA  Algeria/Yemen  - Unsubstantiated  threat 
claiming  suicide  bombing  against  U.S.  embassies:  On  June  26, 
a write-in  to  a USG  website  provided  a message  involving  an 
unsubstantiated  threat  to  U.S.  embassies  in  Algiers,  Algeria, 
and  Sana'a,  Yemen.  The  message  was  posted  in  Arabic  and 
appeared  to  originate  in  Algeria.  The  writer  warned  of  a "big 
attack  against  your  embassies  in  Algeria  and  Yaman  by  suicide 
car  on  29/06/2009"  and  claimed  to  be  an  agent  of  the  Algerian 
Intelligence  Service.  The  writer  provided  an  apparent 
telephone  number  for  confirming  his  information  and  warned, 
"The  second  attack  what  you  will  see  it  is  in  Hassi  Messaud 
in  Sahara  by  a big  number  of  terrorists."  The  report's 
originators  note  that  they  have  no  further  information  to 
corroborate  the  information,  and  the  source  may  have  intended 
to  annoy,  mislead,  or  disrupt  rather  than  to  provide 
legitimate  information.  The  originators  further  note  that  the 
vast  majority  of  such  information  is  not  true,  but,  since 
volunteers  have  provided  authentic  leads  on  occasion,  the 
information  is  provided  for  evaluation  purely  due  to  its 
threat  content.  (Appendix  source  20) 

11.31.  (S//NF)  Yemen  - Al-Qa'ida  possibly  planning  Embassy 
attacks:  (S//REL  TO  USA,  FVEY)  According  to  tearline 
information,  "Saudi  authorities  learned  in  late  June  that 
al-Qa'ida  may  be  planning  an  attack  on  Western  and  Middle 
Eastern  embassies  in  Yemen.  There  was  no  additional 
information  on  the  timing  or  exact  location  of  the  planned 
attack . " 

T32 . (S//NF)  DS/TIA/ITA  notes  this  report  is  likely  related  to 
recent  information  provided  by  a Yemeni  security  official  in 
late  June  regarding  possible  unspecified  al-Qa'ida  in  the 
Arabian  Peninsula  (AQAP)  attacks  against  the  embassies  of  the 
U.S,  Qatar,  United  Arab  Emirates,  Oman,  Saudi  Arabia,  and 
unnamed  European  nations  in  Sana'a.  No  further  information 
was  provided  on  this  general  threat  report. 

11.33.  (S//NF)  DS/TIA/ITA  also  notes  the  continuing  AQAP  threat 
to  Western  and  host-nation  interests  both  in  Sana ' a and 
throughout  Yemen.  Previous  AQAP  attacks  illustrate  a 
willingness  and  capability  to  target  Western  citizens  and 
diplomatic  facilities,  highlighted  by  the  brazen  attack 
against  U.S.  Embassy  Sana'a  in  mid-September  2008.  The  lack 
of  host-nation  political  will  to  combat  AQAP  contributes  to 
an  extremely  permissive  operating  environment  for  extremist 
elements,  suggesting  threat  reporting  against  U.S.  and  other 
foreign  interests  in  Yemen  will  continue  in  both  the  near  and 
medium  term.  (Appendix  sources  21-22) 

11.34.  (S//NF)  SCA  Afghanistan  - Threat  to  unspecified  American 
in  Kandahar:  As  of  late  June,  Kandahar  Taliban  members  Sadiq, 
Mullah  Hamdullah,  and  Qari  Yousef  intended  to  kidnap  an 
unspecified  American  who  travels  from  Kandahar  Airfield  to 
work  in  Kandahar  city  to  hold  for  ransom.  The  kidnappers 
planned  to  use  a local  Afghan  who  the  American  trusted  to 
place  a substance  in  his  food  to  render  him  unconscious. 
Hamdullah,  a.k.a.  Bari  Alai,  worked  under  the  command  of 
Mullah  Faizel  who  was  currently  in  detention  at  Guantanamo 
Bay . 

11.35.  (S//NF)  While  the  Taliban  operatives  named  in  this  report 
are  indeed  active  in  and  around  Kandahar  city  to  include 
involvement  in  kidnapping  plots,  DS/TIA/ITA  questions  the 
source's  access  to  operational  plans  by  the  Taliban.  In  past 
reporting,  the  source  has  reported  primarily  on  Taliban 
member  atmospherics  and  movements  in  southern  Afghanistan  and 
only  occasionally  on  threats.  DS/TIA/ITA  assesses  information 
provided  by  the  source  regarding  the  January  2008  kidnapping 
of  an  American  non-governmental  organization  (NGO)  worker  to 
be  inaccurate. 

11_36.  (S//NF)  That  said,  periodic  reporting  indicates 
extremists  remain  keen  to  abduct  another  Westerner  in 
Kandahar  city,  possibly  while  traveling  to/from  Kandahar 


Airfield.  Tearline  states,  "Taliban  insurgents  reportedly 
planned  in  late  January  to  kidnap  a U.S.  national  as  he 
traveled  between  Kandahar  Airfield  and  Shur  Andam  Pass, 
Kandahar  Province."  Reporting  from  November  2008  alleged  the 
Taliban  planned  to  kidnap  two  foreign  women  possibly  from 
their  residence  in  northeast  Kandahar  city  or  at  the  Rang 
Rezano  market  they  frequented. 

T_37.  (S//NF)  Mullah  Faizel  (variants:  Faisal,  Fazilfazul;  TIDE 
number  72569)  was  being  held  at  Guantanamo  Bay  as  of  early 
April  2008.  Mullah  Hamdullah  (possible  TIDE  number  75483)  is 
characterized  in  late-2008  sensitive  reporting  as  a group 
commander  of  a large  number  of  Taliban  in  Helmand  Province. 

The  same  report  noted  Sadiq,  the  brother  of  the  Taliban's 
second-in-command  Mullah  Berader  (TIDE  number  76541),  worked 
at  an  unnamed  U.S.  NGO  and  was  involved  in  planning  an 
unspecified  kidnapping.  (Appendix  sources  23-30) 

1I_38.  (S//FGI//NF)  Pakistan  - Militants  may  be  planning  to 
abduct  U.S.  and  UK  citizens  from  NGOs  and  consulates; 
dual-citizens  in  Peshawar:  Tearline  intelligence  reports, 
"Militants  attached  to  Pakistan's  Mumtaz  Group  may  be 
planning  to  kidnap  U.S.  and  UK  citizens  working  in  NGOs  and 
consulates,  as  well  as  dual-citizen  Pakistanis  who  are  either 
visiting  or  residing  in  Peshawar,  as  of  June  26.  Peshawar's 
University  Town  could  be  the  likely  venue  for  such  an 
operation.  Further,  the  following  individuals  who  probably 
reside  in  (the)  Peshawar  area  could  be  supporters  of  the 
Mumtaz  Group:  Fahim,  son  of  Ihsanullah;  Ayaz ; Abdul  Rehman 
Khan  (Awami  National  Party)  and  his  son,  Yunas  Khan, 
residents  of  Kafir  Dheri,  Peshawar;  Garib  Shah  Badshah;  and 
Muazzam  Badshah,  son  of  Shah  Badshah." 

1I_39.  (S//FGI//NF)  DS/TIA/ITA  assesses  the  Mumtaz  Group  may  be 
a reference  to  operations  linked  to  al-Qa'ida  leader  Hamza 
al-Jawfi  (a.k.a.  Mumtaz;  TIDE  number  70390)  who  died  in  a 
late-February  explosion  in  North  Waziristan.  Mumtaz  is  an 
oft-used  alias  by  senior  al-Qa'ida  leaders  that  is  arguably 
inauspicious.  The  now-deceased  Hamzah  Rabi  and  Abu  Khabab 
al-Masri  both  used  this  alias  as  well.  Worryingly,  the  other 
operatives  DS/TIA/ITA  suspects  belong  to  this  group  are 
linked  to  ongoing,  credible  planning  against  Peshawar 
cantonment  as  well  as  American  personnel  and  convoys 
belonging  to  U.S.  Consulate  Peshawar. 

11.4  0.  (S//FGI//NF)  Although  al-Jawfi  is  dead,  it  is  possible 
the  operations  referenced  can  be  linked  to  al-Jawfi 's  former 
courier  and  Imran  (TIDE  number  14399906),  who  collaborates 
closely  with  Mohmand  Agency-based  Tehrik-e-Taliban  Pakistan 
(TTP)  commander  Hakimullah  Mahsud.  Early-April  reporting  from 
Inter-Services  Intelligence  ( I S I ) links  Imran  — described  as 
an  Uzbeki  militant  responsible  for  the  November  12,  2008, 
murder  of  a USAID  contractor  and  the  August  26,  2008,  ambush 
of  the  principal  officer's  (PO's)  vehicle  in  Peshawar  — to 
TTP  operative  Faruq's  ongoing  planning  for  an  attack  on 
Peshawar's  cantonment  using  multiple  suicide  operatives. 

Faruq  is  also  likely  involved  in  conducting  al-Qa ' ida-linked 
operational  surveillance  against  the  PO  of  U.S.  Consulate 
Peshawar,  a four-vehicle  SUV  protective  convoy,  and  a vehicle 
workshop  also  affiliated  with  Post.  Of  note,  however,  ISI 
reported  the  capture  of  an  individual  named  Imran  in 
mid-June;  although,  it  cannot  be  confirmed  if  this  is  the 
same  Uzbeki  Imran  mentioned  in  earlier  reporting.  (Appendix 
sources  31-38) 

11.41.  (S//FGI//NF)  Pakistan  - Threats  against  Punjab  and 
Islamabad:  Reporting  continues  to  circulate  detailing  ongoing 
plans  by  Pakistani  extremists  to  launch  suicide  operations  in 
Punjab  Province  and  Islamabad.  In  Islamabad,  threats  specify 
the  targeting  of  embassies  located  in  the  F-6/2  sector, 
police  post  Aabpara  in  Islamabad,  the  Imam  Bargah  in  G-6/2, 
Senator  Tariq  Azim,  and  Barri  Imam  Shrine.  In  Lahore  and 
greater  Punjab  Province,  suicide  operatives  may  seek  to 
strike  against  foreigners  in  crowded  areas  or  the  Barbar  Data 
Sahib  Shrine.  Although  it  remains  unclear  if  these  named 
targets  are  an  accurate  reflection  of  extremists ' operational 
plans,  it  is  of  note  late-June  reporting  also  mentions  the 
cultivation  and  use  of  sympathetic  madrassas  and  extremists 


located  in  targeted  cities  to  carry  out  future  attacks. 

1.42.  (S//NF)  As  of  late  June,  TTP  reportedly  tasked  Abdul 
Malik  Mujahid  to  launch  suicide  attacks  against  unspecified 
foreigners  in  crowded  places  in  Punjab,  with  Mujahid 
considering  the  use  of  sympathetic  madrassas  as  shelter  prior 
to  conducting  an  attack.  Madrassas  under  consideration 
included  the  Jami  Ashrafia  and  Jamiat  ul-Manzur  ul-Islami  in 
Lahore.  Separately,  tearline  from  late  June  reports, 

"Militant  commander  Khan  Bahadur,  son  of  Sher  Bahadur,  is  the 
local  militant  commander  in  the  Watkai  area.  Bahadur 
currently  may  be  residing  in  Islamabad,  while  reorganizing 
his  group  to  operate  in  difference  parts  of  Pakistan,  as  of 
June  25."  Although  there  is  limited  information  regarding  the 
identity  of  Khan  Bahadur  (possible  TIDE  number  238258), 
earlier  sensitive  intelligence  suggests  he  has  served  as  an 
interlocutor  in  urban  areas  for  Waziristan-based  militants 
since  2007.  According  to  late-January  2008  tearline,  "...  A 
Khan  Bahadur  (or  Bhadur)  in  Lahore  was  involved  in  efforts  to 
arrange  talks  and  perhaps  a government  announcement  for  a 
cease-fire  and  helping  coordinate  a separate  announcement 
from  the  Mujahidin,  hopefully  by  October  13...." 

1.43.  (S//FGI//NF)  As  underscored  by  the  events  during  and 
following  the  Lai  Mas j id  (Red  Mosque)  confrontation  in 
Islamabad  in  July  2007,  the  continued  existence  of  networks 
in  Islamabad  that  can  organize  and  facilitate  protests  and 
terrorist  activity  in  the  vicinity  of  the  capital  is  indeed 
troubling.  Notably,  a body  of  intelligence  reporting 
preceding  the  Lai  Mas j id  confrontation  suggests 
Pakistan-based  extremists  viewed  the  brewing  tension  between 
the  madrassas  and  Islamabad  one  part  of  a larger 
comprehensive  effort  to  re-energize  and  expand  their  jihadi 
operations  from  their  strongholds  in  the  tribal  areas  and 
Northwest  Frontier  Province.  Interestingly,  reporting  from 
May  2007  citing  a commander  10  corps  lieutenant  also  noted  70 
mosques  in  and  around  Islamabad  would  likely  support 
extremist  activity  associated  with  the  now-infamous  Lai 
Masjid,  which  was  also  an  unauthorized  mosque.  Of  concern, 
since  2008  attacks  in  Pakistan  have  repeatedly  targeted 
Westerners,  coinciding  with  an  unprecedented  number  of 
attacks  in  both  Lahore  and  Islamabad.  (Appendix  sources  39-47) 

144 . (U)  Cyber  Threats 

1.45.  (U)  EUR  CTAD  comment:  The  latest  version  of  the  National 
Security  Strategy  released  by  the  UK  Government  includes  a 
public  cyber  security  strategy.  The  report  calls  for  the 
establishment  of  two  new  offices  with  cyber  security 
responsibilities  and  approves  the  use  of  offensive  operations 
as  a countermeasure  to  attacks  against  British  systems.  The 
Office  of  Cyber  Security,  falling  under  the  Cabinet  Office, 
will  be  the  central  body  charged  with  coordinating  with 
industry  and  developing  strategy.  The  Cyber  Security 
Operations  Centre  based  at  Government  Communications 
Headquarters,  the  UK's  primary  signals  intelligence  agency, 
will  be  responsible  for  conducting  offensive  operations. 
According  to  press  reports,  the  UK  Government  has  hired 
several  former  hackers  to  staff  the  centre. 

1.46.  (S//NF)  NEA  CTAD  comment:  DoD  reporting  indicates  as  of 
mid-May,  several  Persian-language  hacker  forums  are  sharing 
information  pertaining  to  a variety  of  hacking  codes,  tools, 
and  video  tutorials.  One  of  the  more  notable  findings  was  a 
PHP-based  "simattacker  code"  — a backdoor  Trojan  horse 
program  that  allows  for  remote  exploitation  of  an  affected 
system  and  can  provide  denial-of-service  capabilities.  This 
particular  malicious  code  is  reportedly  similar  to  a tool 
used  against  Georgian  systems  in  2008  (NFI). 

1.47.  (SBU)  EAP  CTAD  comment:  According  to  South  Korean  press 
reporting,  the  Republic  of  Korea's  (RoK's)  Defense  Security 
Command  (DSC)  has  declared  intrusion  attempts  against  the 
RoK's  military  computer  networks  have  increased  20  percent  in 
2009,  compared  to  those  detected  in  2008.  The  DSC  further 
stated  that  89  percent  of  the  attempts  are  unsophisticated 
efforts  to  hack  into  servers  and  Internet  homepages,  whereas 
the  remaining  11  percent  appear  to  be  more  advanced  attempts 


to  obtain  intelligence  information.  Of  note,  in  an  effort  to 
deal  with  the  increasing  cyber  threat,  the  RoK ' s National 
Intelligence  Service  has  recommended  President  Lee  Myung-bak 
appoint  an  aide  to  assist  with  the  country's  cyber  security 
issues . 

11.4  8.  (S//NF)  SCA  CTAD  comment:  According  to  Defense 

Intelligence  Agency  reporting,  the  Government  of  India  (Gol) 
continues  efforts  to  advance  its  computer  security  programs 
--  particularly  in  light  of  increased  concerns  over  Chinese 
computer  network  exploitation  efforts  --  but  progress  is 
hampered  by  significant  disagreements  within  its  departments. 
The  key  Gol  organizations  involved  in  developing  and 
implementing  security  policies  are  identified  as  the  Ministry 
of  Telecommunications  and  the  Research  and  Analysis  Wing. 
Although  the  Indian  Army  is  primarily  responsible  for  the 
security  of  military  networks,  Indian  officials  acknowledge 
Army  representatives  have  been  largely  left  out  of 
discussions.  Additionally,  some  other  key  groups,  such  as  the 
National  Technical  Reconnaissance  Organization  and  the  Indian 
Defense  Intelligence  Agency,  have  reportedly  failed  to  offer 
significant  contributions.  Private  security  companies  are 
also  concerned  that  the  lack  of  input  from  the  private  sector 
may  lead  to  unfair  regulations  regarding  telecommunications 
monitoring . 

11.4  9.  (SBU)  Domestic  CTAD  comment:  On  June  22,  Websense 
Security  Labs  issued  an  alert  after  discovering  the  official 
website  of  the  Embassy  of  Ethiopia  in  Washington,  DC,  had 
been  subverted  with  obfuscated  JavaScript  code  hidden  in  an 
inline  frame  (IFrame)  with  the  goal  of  infecting  visitors  to 
the  site  with  malicious  software  (malware).  The  code 
redirected  users  to  sites  where  malware,  including  Trojan 
downloaders,  were  installed  without  explicit  user  action. 
According  to  the  alert,  the  site  that  hosted  the  malicious 
JavaScript  is  currently  down.  On  March  20,  security  company 
Sophos  discovered  a similar  IFrame  infection  on  the  same 
website.  At  the  time,  researchers  at  Sophos  noted  it 
resembled  the  attack  on  the  Washington,  DC,  Embassy  of 
Azerbaijan  website  that  occurred  in  early  March.  The 
researchers  also  indicated  the  redirected  sites  had  been  used 
by  Russian  cyber  criminals  in  previous  malware  infections. 
(Appendix  sources  48-50) 

11.50 . (C)  EAP  China  - Beijing  TOPSEC  founder  indicates  PRC 

investment : 

1.51.  (S//NF)  Key  highlights: 

o Founder  of  TOPSEC  and  iTrusChina  notes  PRC  funding  and 
directive  in  media  interview. 

o TOPSEC  is  China's  largest  provider  of  information  security 
products  and  services. 

o TOPSEC  provides  services  and  training  for  the  PLA  and  has 
recruited  hackers  in  the  past. 

o Potential  linkages  of  China's  top  companies  with  the  PRC 
illustrate  the  government's  use  of  its  "private  sector"  in 
support  of  information  warfare  objectives. 

1.52.  (SBU)  Source  paragraph:  "During  an  interview  with 
journalists  from  China  News  Network,  chairman  of  both  Beijing 
TOPSEC  and  iTrusChina,  He  Weidong,  spoke  about  the  two 
companies,  to  include  investment  and  contract  from  the 
Chinese  Government  (People's  Republic  of  China  (PRC))  .... 
Tianrongxin ' s capital  came  from  two  parts.  The  Chinese 
Government  share  one  part  of  the  investment,  and  the 
management  department  (of  Tianrongxin)  share  the  other  part. 
He  further  stated  that  Tianrongxin  was  not  really  a company 
but  a research  institute;  in  1995,  the  company  took  contracts 
from  the  government's  research  and  development  tasks." 

1.53.  (S//NF)  CTAD  comment:  In  November  1995,  He  Weidong 
founded  the  security  company  Tianrongxin,  a.k.a.  Beijing 
TOPSEC  Network  Security  Technology  Company,  Ltd.  TOPSEC  is  a 
China  Information  Technology  Security  Center  (CNITSEC) 
enterprise  and  has  grown  to  become  China's  largest  provider 
of  information  security  products  and  services.  TOPSEC  is 
credited  with  launching  China's  first  indigenous  firewall  in 
1996,  as  well  as  other  information  technology  (IT)  security 


products  to  China's  market,  to  include  virtual  private 
networks,  intrusion  detection  systems,  filtering  gateways, 
and  security  auditing  and  management  systems.  Additionally, 
in  September  2000,  Weidong  founded  the  company 
Tianweichengxin,  a.k.a.  iTrusChina,  which  became  the  first 
experimental  enterprise  to  develop  business  Public  Key 
Infrastructure/Certification  Authority  services  approved  by 
China's  Ministry  of  Industry  and  Information  Technology. 

11.54.  (SBU)  CTAD  comment:  During  an  interview  with  China  News 
Network,  Weidong  stated  that  half  of  TOPSEC ' s start-up 
capital  came  from  the  PRC,  with  the  other  half  coming  from 
the  company's  management  department.  Additionally,  he  pointed 
out  that  TOPSEC  began  not  as  a company,  but  as  a small 
research  institute  that  took  contracts  from  the  government's 
research  and  development  tasks  (NFI).  The  turning  point  for 
TOPSEC  came  in  1996  when  the  company  won  a significant 
contract  bid  from  the  Chinese  State  Statistics  Bureau.  Since 
winning  the  bid,  TOPSEC  maintained  a 100-percent  sales  growth 
in  the  following  years.  Weidong  noted  the  company  started  out 
with  30,000  RMB  (approximately  $4,400)  in  1995,  and  by  2002, 
had  earnings  of  3 billion  RMB  (approximately  $440,000,000). 
Interestingly,  shareholders  did  not  receive  bonuses,  as  all 
earnings  went  for  future  investment.  Weidong  also  stated  a 
bank  loan  was  never  used. 

1.55 . (S//NF)  CTAD  comment:  Of  note,  the  CNITSEC  is  responsible 
for  overseeing  the  PRC's  Information  Technology  (IT)  security 
certification  program.  It  operates  and  maintains  the  National 
Evaluation  and  Certification  Scheme  for  IT  security  and 
performs  tests  for  information  security  products.  In  2003, 

the  CNITSEC  signed  a Government  Security  Program  (GSP) 
international  agreement  with  Microsoft  that  allowed  select 
companies  such  as  TOPSEC  access  to  Microsoft  source  code  in 
order  to  secure  the  Windows  platform.  XXXXXXXXXXXX 

1.56.  (S//NF)  CTAD  comment:  Additionally,  CNITSEC  enterprises 
has  recruited  Chinese  hackers  in  support  of  nationally-funded 
"network  attack  scientific  research  projects."  From  June  2002 
to  March  2003,  TOPSEC  employed  a known  Chinese  hacker,  Lin 
Yong  (a.k.a.  Lion  and  owner  of  the  Honker  Union  of  China),  as 
senior  security  service  engineer  to  manage  security  service 
and  training.  Venus  Tech,  another  CNITSEC  enterprise  privy  to 
the  GSP,  is  also  known  to  affiliate  with  XFocus,  one  of  the 
few  Chinese  hacker  groups  known  to  develop  exploits  to  new 
vulnerabilities  in  a short  period  of  time,  as  evidenced  in 
the  2003  release  of  Blaster  Worm  (See  CTAD  Daily  Read  File 

( DRF ) April  4,2008). 

1.57.  (S//NF)  CTAD  comment:  While  links  between  top  Chinese 
companies  and  the  PRC  are  not  uncommon,  it  illustrates  the 
PRC's  use  of  its  "private  sector"  in  support  of  governmental 
information  warfare  objectives,  especially  in  its  ability  to 
gather,  process,  and  exploit  information.  As  evidenced  with 
TOPSEC,  there  is  a strong  possibility  the  PRC  is  harvesting 
the  talents  of  its  private  sector  in  order  to  bolster 
offensive  and  defensive  computer  network  operations 
capabilities.  (Appendix  sources  51-52) 

1.58.  (U)  Suspicious  Activity  Incidents 

1.59.  (SBU)  EUR  Iceland  - A man  and  a woman  photographed  in  the 
area  north  of  U.S.  Embassy  Reykjavik  June  25.  They  then 
walked  toward  the  backside  of  the  Post,  where  they  took 
additional  photographs  before  departing  on  foot.  The  man  was 
seen  photographing  in  the  neighborhood  for  an  additional  3 
hours.  The  Surveillance  Detection  Team  found  it  unusual  the 
subjects  photographed  sites  other  than  tourist  attractions. 
(SIMAS  Event:  Reykjavik-00257-2009) 

1.60.  (SBU)  AF  Guinea  - Two  young  men  were  photographed  U.S. 
Embassy  Conakry  June  25.  A gendarme  stopped  the  pair  and  took 
them  to  a nearby  security  booth  where  they  were  interviewed 
by  Post's  foreign  security  national  investigator.  Their 
photos  of  the  Embassy  were  deleted,  and  the  subjects  were 
released  with  a warning. 

1.61.  (SBU)  Record  Check/Investigation:  Subject  1:  Mamdou 
Mouminatou  Diallo.  XXXXXXXXXXXX  Labe,  Guinea.  Cell  phone 


number:  XXXXXXXXXXXX  Subject  2:  Mamadou  Diallo.  XXXXXXXXXXXX 
Koundara,  Guinea.  Cell  phone  number:  XXXXXXXXXXXX  (SIMAS 
Event:  Conakry-01492-2009) 

11.62.  (SBU)  NEA  Tunisia  - A man  sat  at  Marsaoul  Caf  in  Tunis 
focusing  on  the  road  leading  to  the  U.S.  Ambassador's 
residence  June  4.  After  30  minutes,  the  subject  got  into  his 
car  and  departed  the  area.  The  man  was  previously  seen  at  the 
caf  on  May  15  for  approximately  1 hour. 

11_63.  (SBU)  RSO  Action/Assessment:  The  caf  is  located  at  the 
foot  of  the  hill  near  the  Ambassador's  residence  (the 
residence  is  located  at  the  end  of  the  road,  approximately 
one-quarter  to  one-half  mile  away) . This  is  the  second  time 
the  individual  and  vehicle  were  spotted.  However,  Tunisian 
police  do  not  share  information  concerning  routine  traffic 
stops  or  suspicious  persons  questioned/seen  near  the  Embassy 
or  Ambassador's  residence.  If  the  vehicle  is  seen  again,  the 
RSO  will  attempt  to  retrieve  information  on  the  owner. 

11.64.  (SBU)  Record  Check/Investigation:  Vehicle:  Gray 
Volkswagen;  License  plate:  8020TU97.  (SIMAS  Event: 

Tunis -020 5 4 -2009 ) 

SECRET/ /FGI / /NOFORN 

Full  Appendix  with  sourcing  available  upon  request. 
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